Conversation
| } | ||
|
|
||
| fn on_checkout_start(&self, url: &Url, rev: &str) -> usize { | ||
| let url = redacted_url(url); |
Member
There was a problem hiding this comment.
Why not move this to the use site, like line 320/322?
Contributor
Author
There was a problem hiding this comment.
The idea is to make it more unlikely for future changes to use the Url with credentials. The places I didn't do this were where we were also potentially using the credentials from the Url
charliermarsh
approved these changes
May 10, 2025
crates/uv-git-types/src/lib.rs
Outdated
| let _ = url.set_password(Some("****")); | ||
| // A username on its own might be a secret token. | ||
| } else if url.username() != "" { | ||
| let _ = url.set_username("****"); |
Member
There was a problem hiding this comment.
It's a little confusing that half of our redact methods remove the credentials entirely, and then half replace them with stars. It's also a little strange (though may not matter in practice) that we're using this version for the cache key, so like the cache key path now includes these stars?
It might be nice to use a different name for these methods that replace with stars vs. those that remove the credentials entirely (like sensitive vs. redact or without_credentials or something).
Or just drop the stars entirely and match the existing redact logic for consistency for now.
Contributor
Author
There was a problem hiding this comment.
It can be helpful to have the stars when debugging but we can defer this decision until after this PR (on main we do it in some places and not others). The follow-up PR will put this decision in one place. To move this PR forward, I've removed the masking from redacted_url and dropped the stars there.
I've also removed all uses from uv-auth (including around the credentials cache). As a result, I've moved redacted_url out of uv-auth and into a new uv-redacted crate. This means we continue to rely on the existing mechanisms for redacting credentials there. This should help move the PR forward and is still a strict improvement.
Member
There was a problem hiding this comment.
Agreed! Can definitely be helpful, mostly just pointing out that there are two different behaviors using the same terminology and we probably need to be thoughtful about which we use at each site (e.g., *** for anything in tracing; omitted entirely for anything persisted, like the lockfile).
Member
|
(Seems fine to merge.) |
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this pull request
May 18, 2025
## 0.7.5 ### Bug fixes - Support case-sensitive module discovery in the build backend ([#13468](astral-sh/uv#13468)) - Bump Simple cache bucket to v16 ([#13498](astral-sh/uv#13498)) - Don't error when the script is too short for the buffer ([#13488](astral-sh/uv#13488)) - Add missing word in "script not supported" error ([#13483](astral-sh/uv#13483)) ## 0.7.4 ### Enhancements - Add more context to external errors ([#13351](astral-sh/uv#13351)) - Align indentation of long arguments ([#13394](astral-sh/uv#13394)) - Preserve order of dependencies which are sorted naively ([#13334](astral-sh/uv#13334)) - Align progress bars by largest name length ([#13266](astral-sh/uv#13266)) - Reinstall local packages in `uv add` ([#13462](astral-sh/uv#13462)) - Rename `--raw-sources` to `--raw` ([#13348](astral-sh/uv#13348)) - Show 'Downgraded' when `self update` is used to install an older version ([#13340](astral-sh/uv#13340)) - Suggest `uv self update` if required uv version is newer ([#13305](astral-sh/uv#13305)) - Add 3.14 beta images to uv Docker images ([#13390](astral-sh/uv#13390)) - Add comma after "i.e." in Conda environment error ([#13423](astral-sh/uv#13423)) - Be more precise in unpinned packages warning ([#13426](astral-sh/uv#13426)) - Fix detection of sorted dependencies when include-group is used ([#13354](astral-sh/uv#13354)) - Fix display of HTTP responses in trace logs for retry of errors ([#13339](astral-sh/uv#13339)) - Log skip reasons during Python installation key interpreter match checks ([#13472](astral-sh/uv#13472)) - Redact credentials when displaying URLs ([#13333](astral-sh/uv#13333)) ### Bug fixes - Avoid erroring on `pylock.toml` dependency entries ([#13384](astral-sh/uv#13384)) - Avoid panics for cannot-be-a-base URLs ([#13406](astral-sh/uv#13406)) - Ensure cached realm credentials are applied if no password is found for index URL ([#13463](astral-sh/uv#13463)) - Fix `.tgz` parsing to respect true extension ([#13382](astral-sh/uv#13382)) - Fix double self-dependency ([#13366](astral-sh/uv#13366)) - Reject `pylock.toml` in `uv add -r` ([#13421](astral-sh/uv#13421)) - Retain dot-separated wheel tags during cache prune ([#13379](astral-sh/uv#13379)) - Retain trailing comments after PEP 723 metadata block ([#13460](astral-sh/uv#13460)) ### Documentation - Use "export" instead of "install" in `uv export` arguments ([#13430](astral-sh/uv#13430)) - Remove extra newline ([#13461](astral-sh/uv#13461)) ### Preview features - Build backend: Normalize glob paths ([#13465](astral-sh/uv#13465))
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
May 19, 2025
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [astral-sh/uv](https://github.com/astral-sh/uv) | patch | `0.7.3` -> `0.7.5` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>astral-sh/uv (astral-sh/uv)</summary> ### [`v0.7.5`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#075) [Compare Source](astral-sh/uv@0.7.4...0.7.5) ##### Bug fixes - Support case-sensitive module discovery in the build backend ([#​13468](astral-sh/uv#13468)) - Bump Simple cache bucket to v16 ([#​13498](astral-sh/uv#13498)) - Don't error when the script is too short for the buffer ([#​13488](astral-sh/uv#13488)) - Add missing word in "script not supported" error ([#​13483](astral-sh/uv#13483)) ### [`v0.7.4`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#074) [Compare Source](astral-sh/uv@0.7.3...0.7.4) ##### Enhancements - Add more context to external errors ([#​13351](astral-sh/uv#13351)) - Align indentation of long arguments ([#​13394](astral-sh/uv#13394)) - Preserve order of dependencies which are sorted naively ([#​13334](astral-sh/uv#13334)) - Align progress bars by largest name length ([#​13266](astral-sh/uv#13266)) - Reinstall local packages in `uv add` ([#​13462](astral-sh/uv#13462)) - Rename `--raw-sources` to `--raw` ([#​13348](astral-sh/uv#13348)) - Show 'Downgraded' when `self update` is used to install an older version ([#​13340](astral-sh/uv#13340)) - Suggest `uv self update` if required uv version is newer ([#​13305](astral-sh/uv#13305)) - Add 3.14 beta images to uv Docker images ([#​13390](astral-sh/uv#13390)) - Add comma after "i.e." in Conda environment error ([#​13423](astral-sh/uv#13423)) - Be more precise in unpinned packages warning ([#​13426](astral-sh/uv#13426)) - Fix detection of sorted dependencies when include-group is used ([#​13354](astral-sh/uv#13354)) - Fix display of HTTP responses in trace logs for retry of errors ([#​13339](astral-sh/uv#13339)) - Log skip reasons during Python installation key interpreter match checks ([#​13472](astral-sh/uv#13472)) - Redact credentials when displaying URLs ([#​13333](astral-sh/uv#13333)) ##### Bug fixes - Avoid erroring on `pylock.toml` dependency entries ([#​13384](astral-sh/uv#13384)) - Avoid panics for cannot-be-a-base URLs ([#​13406](astral-sh/uv#13406)) - Ensure cached realm credentials are applied if no password is found for index URL ([#​13463](astral-sh/uv#13463)) - Fix `.tgz` parsing to respect true extension ([#​13382](astral-sh/uv#13382)) - Fix double self-dependency ([#​13366](astral-sh/uv#13366)) - Reject `pylock.toml` in `uv add -r` ([#​13421](astral-sh/uv#13421)) - Retain dot-separated wheel tags during cache prune ([#​13379](astral-sh/uv#13379)) - Retain trailing comments after PEP 723 metadata block ([#​13460](astral-sh/uv#13460)) ##### Documentation - Use "export" instead of "install" in `uv export` arguments ([#​13430](astral-sh/uv#13430)) - Remove extra newline ([#​13461](astral-sh/uv#13461)) ##### Preview features - Build backend: Normalize glob paths ([#​13465](astral-sh/uv#13465)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MC4xMS4xOSIsInVwZGF0ZWRJblZlciI6IjQwLjEzLjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbIlJlbm92YXRlIEJvdCJdfQ==-->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR redacts credentials in displayed URLs.
It mostly relies on a
redacted_urlfunction (and where possibleIndexUrl::redacted). This is a quick way to prevent leaked credentials but it's prone to programmer error when adding new trace statements. A better follow-on would use aRedactedUrltype with the appropriateDisplayimplementation. This would allow us to still extract credentials from the URL while displaying it securely. On the plus side, the sites where theredacted_urlfunction are used serve as easy signposts for where to use the new type in a future PR.Closes #1714.